通过docker快速实现OpenVPN搭建
CSDN 2024-06-27 11:07:05 阅读 83
文章目录
拉取镜像创建配置文件生成密钥文件生成客户端证书生成无密码的客户端生成有密码的客户端
导出证书启动VPN配置哪些流量走VPN客户端下载地址参考
通过docker快速实现OpenVPN搭建
拉取镜像
docker pull kylemanna/openvpn:2.4
创建配置文件
docker run -v /opt/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_genconfig -u tcp://ip[:port]
ip:port 设置的地址为你连接VPN访问的ip和端口,一般为公网IP和端口
运行结果
[root@bigdata-101 ~]# docker run -v /opt/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_genconfig -u udp://x.x.x.x:port
Processing PUSH Config: 'block-outside-dns'
Processing Route Config: '192.168.254.0/24'
Processing PUSH Config: 'dhcp-option DNS 8.8.8.8'
Processing PUSH Config: 'dhcp-option DNS 8.8.4.4'
Processing PUSH Config: 'comp-lzo no'
Successfully generated config
Cleaning up before Exit ...
生成密钥文件
docker run -v /opt/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 ovpn_initpki
# 设置密码
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
# 默认回车
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
# 输入刚刚设置的密码
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
完整执行步骤日志
[root@bigdata-101 ~]# docker run -v /opt/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 ovpn_initpki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................................................................................................................................................................+++++
.................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.................................................................+....+....................+.........................................................................................................+....+.......................................................................................................................................................................+.....................................+...................+.......................+.....................................................................................................................................................................................................................................+............................................................................+...................................................................................................................+.....+.......................................................................................................................................................................................................................................+..................................................................................................................................................................................................+........+.............................................................................................................................+..............................+....................................................+..............................................................................................................................................................................+......................................................................................................+....................................................................................+.......................++*++*++*++*
DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
.............................................+++++
.....................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-73.bBJIMn/tmp.PBbHDh'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-73.bBJIMn/tmp.lDdIgp
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'公网IP'
Certificate is to be certified until Apr 2 07:03:45 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Using configuration from /etc/openvpn/pki/easy-rsa-148.JkjcgL/tmp.Ahiido
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem
生成客户端证书
生成无密码的客户端
docker run -v /opt/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full jast nopass
jast 为客户端用户
[root@bigdata-101 ~]# docker run -v /opt/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full jast nopass
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
.+++++
...................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-1.npkoBm/tmp.GjbIiO'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-1.npkoBm/tmp.GAAMkb
Enter pass phrase for /etc/openvpn/pki/private/ca.key: # 输入刚刚创建的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'jast'
Certificate is to be certified until Apr 2 07:06:25 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
生成有密码的客户端
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
.........................................+++++
...............................................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-1.MEMpOp/tmp.gLiNaP'
Enter PEM pass phrase: # 输入要设置的客户端的密码
Verifying - Enter PEM pass phrase:
-----
Using configuration from /etc/openvpn/pki/easy-rsa-1.MEMpOp/tmp.gCiMLA
Enter pass phrase for /etc/openvpn/pki/private/ca.key: # 输入之前设置的证书密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'jast3'
Certificate is to be certified until Apr 2 07:24:36 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
导出证书
导出客户端认证文件到本地
jast 为客户端名称
docker run -v /opt/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_getclient jast > /opt/jast.ovpn
启动VPN
docker run --name ov --restart=always --privileged=true -v /opt/openvpn:/etc/openvpn -d -p 1194:1194/tcp --cap-add=NET_ADMIN kylemanna/openvpn:2.4
如果公网访问VPN,公网的IP地址和端口要映射到当前容器所在服务器的1194端口
配置哪些流量走VPN
修改客户端文件jast.ovpn
,在配置文件中添加
# 表示不接受服务器对于修改路由表的推送,而可以按照我们之后指定的规则去修改
route-nopull
# 这个参数设置了路由的度量值(metric),用于确定路由的优先级。路由的度量值越小,优先级越高。在有多个路由规则匹配的情况下,系统会选择度量值最小的路由。
route-metric 150
# 远程主机(remote_host)的流量通过本地网关(net_gateway)发送
route remote_host 255.255.255.255 net_gateway
# 172.19.0.0/16网段的流量通过本地网关发送
route 172.19.0.0 255.255.0.0 net_gateway
# 192.168.1.0/16网段的流量通过VPN网关(vpn_gateway)发送
route 192.168.1.0 255.255.0.0 vpn_gateway
注释掉这一行
redirect-gateway def1
作用是将默认网关重定向到 VPN 服务器上,所以要注释掉。
# edirect-gateway def1
客户端下载地址
Mac:https://tunnelblick.net/
Win7:https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.8-I602-Win7.exe
Win10:https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.8-I602-Win10.exe
参考
https://kui.li/675.html
https://kyo86.com/2022/10/08/openvpn/
https://blog.csdn.net/weizhen330/article/details/132244496
https://blog.csdn.net/qq_42761569/article/details/106538056
声明
本文内容仅代表作者观点,或转载于其他网站,本站不以此文作为商业用途
如有涉及侵权,请联系本站进行删除
转载本站原创文章,请注明来源及作者。